b"Date       : January 31, 2011\nReply to\nAttn of    : Office of Inspector General (OIG)\n\nSubject    : Audit Memorandum No. 11-09: Follow-up of NARA\xe2\x80\x99s Work at Home System (WAHS)\n\nTo         : David S. Ferriero, Archivist of the United States\n\n\nIn 2010, the OIG initiated follow up audit work to the previously issued Audit of NARA\xe2\x80\x99s Work\nat Home System 1 (WAHS). We initiated this work as a result of concerns regarding the number\nof RSA tokens 2 managed and paid for by the National Archives and Records Administration\n(NARA). Specifically, in the previous audit, we found NARA paid a yearly maintenance cost of\n$215,000 for 3,000 RSA tokens in April 2008; even though only a significantly small portion,\napproximately 50 tokens, were distributed and being used as part of the user testing. Then, in\nJune 2009 NARA planned to pay another $235,000 for the renewed maintenance of these 3,000\ntokens, despite that the system would not be fully deployed until at least December 2009.\nRecognizing that 3,000 tokens may not be needed, management lowered the number of tokens to\n1,500, decreasing the yearly maintenance cost to $143,100.\n\nGiven these and other concerns in NARA\xe2\x80\x99s management and monitoring of the RSA tokens, we\nsought to determine whether the RSA tokens were fully utilized; whether terminated employees\nwere still assigned tokens for remote access; and whether token holders were susceptible to\nsocial engineering. To meet these objectives, we examined applicable laws, regulations, and\nNARA guidance; met with the Office of Information Services (NH) officials; compared a list of\ncurrent token holders with a list of former NARA employees; and analyzed applicable contract\ndocumentation. In addition, we conducted random phone surveys with a sample of token\nholders.\n\n1\n    Audit of NARA\xe2\x80\x99s Work-at-Home System (OIG Audit Report No. 09-15) issued September 29, 2009.\n2\n RSA tokens are the hardware devices used by NARA to provide two-factor authentication for remote access to\nmeet the requirements outlined in the Office of Management and Budget (OMB) memorandum M-06-16, Protection\nof Sensitive Agency Information. This token provides a random numeric code that is used in conjunction with the\nuser\xe2\x80\x99s identification and password.\n\x0cInitially, we found weaknesses in NARA\xe2\x80\x99s management of RSA tokens. However, due to higher\naudit priorities, our audit work was placed on hold and in the interim, improvements were made\nin the management of these tokens. For example, in March 2010, we found that only 726 of the\n1,500 tokens had been distributed to users of the WAHS. However, after the initial\nimplementation of two-factor authentication 3 on NARA web mail in April 2010, more\nNARANet 4 users began to request RSA tokens. In fact, additional RSA tokens needed to be\npurchased to fulfill these requests. Thus in May 2010, NARA increased the number of tokens\nprovided by the contractor from 1,500 to 2,250, resulting in a total annual cost of $155,142 from\nJune 2010 to July 2011. As of January 2011, 1,791 tokens of the 2,250 have been distributed to\nNARANet users. The remaining tokens (approximately 450 or 20%) are in inventory for new\nuser requests and replacement of lost or stolen tokens.\n\nAlso, in March 2010, we identified seven former NARA employees who were still assigned RSA\ntokens. Accounts for these terminated employees should have been disabled or removed to\nprevent their access to NARA\xe2\x80\x99s information resources. We later found that these seven former\nemployees were no longer assigned tokens. Further, from a sample of lost or stolen tokens, we\nfound that such tokens had been disabled. Improvements in NARA\xe2\x80\x99s account management and\ninventory of RSA tokens may have aided in identifying and disabling these accounts.\n\nThe National Institute of Standards and Technology (NIST) requires organizations to establish\nadministrative procedures for information system authentications, such as tokens. These\nprocedures should cover processes for revoking authenticators. NARA\xe2\x80\x99s Exit Clearance\nProcedures have incorporated the deactivation of RSA tokens. Specifically, the Exit Clearance\nforms include the return of RSA tokens and the termination of remote access to NARANet, if\napplicable. Tokens and remote access accounts for terminated employees should continue to be\ndisabled or removed in a timely manner. Otherwise, former employees who continue to have\nremote access to critical or sensitive resources could pose a major threat to the agency, as would\nindividuals who may have left under unfavorable circumstances.\n\nFinally, during phone surveys with token holders in March and April 2010, we used social\nengineering techniques 5 to try to obtain users\xe2\x80\x99 personal identification numbers (PINs). User\ncreated PINs, in combination with the number displayed on the users\xe2\x80\x99 RSA tokens, are needed to\naccess the WAHS. During our phone surveys, we were able to get one token holder to divulge\nher PIN and another would have given her PIN, but stated it was written down at home and she\ncould not remember it. Both NIST and the Government Accountability Office (GAO) stress the\nimportance of safeguarding passwords and authenticators, such as RSA tokens. Token holders\nneed to be sufficiently informed of their responsibility in safeguarding their PINs and RSA\ntokens. Disclosure of sensitive information, such as PINs, could be used to gain unauthorized\naccess to NARA systems, which could lead to identity theft and loss of sensitive information.\n\n3\n Two-factor authentication is a system wherein two different factors are used to authenticate a person\xe2\x80\x99s identity.\nUsing two factors as oppose to one delivers a higher level of authentication assurance.\n4\n NARANet is NARA\xe2\x80\x99s private, secure, internal network that supports all intra-NARA network communications.\nThis includes workstations, account management, hardware, and software.\n5\n    Social engineering is the act of manipulating people into performing actions or divulging confidential information.\n\x0cIn response to our efforts, NH was made aware of our attempts to obtain token holder PINs and\nother information. Subsequently, NARANet Services sent out a warning email on April 7, 2010\nto all NARANet Users. This email instructed users if they received a call from someone\nconducting a survey about token use or from anyone asking to validate their PIN over the phone,\nto contact the help desk and report the incident. The email did include specific contact\ninformation for the NARANet help desk; however, the email did not instruct or educate\nemployees to never disclose sensitive information, such as their PIN over the phone. An email\nsuch as this could have provided NARA officials with an extra opportunity to remind NARA\nemployees of the importance of protecting sensitive information.\n\nBoth NIST and GAO emphasize that users should be aware of their responsibility in taking\nreasonable measures to safeguard passwords and authentications, such as tokens. Typical means\nfor establishing and maintaining security awareness include comprehensive security orientation\nand refresher programs, which help to communicate security guidelines to new and existing\nemployees and contractors. Also, agencies can require users to periodically sign a statement\nacknowledging their awareness and acceptance of responsibility for securing devices and\nfollowing all organization policies, including maintaining confidentiality of passwords.\n\nSocial engineering was addressed in NARA\xe2\x80\x99s 2010 Annual Security Refresher Training for\nNARANet. This training defined social engineering, discussed its threats, and provided an\nexample of a telephone conversation leading to the disclosure of a user\xe2\x80\x99s network password.\nSince this training is a yearly requirement, it was not provided to token holders until August\n2010, four months after our phone surveys. More frequent reminders may be needed to prevent\ntoken holders from disclosing sensitive information. Without adequate training and continuous\nreminders, users are susceptible to divulging sensitive information over the phone to an unknown\nsource.\n\nCurrently, NARA does not require token holders to sign an acknowledgement statement for the\nsecurity and protection of their token and remote access. Instead, when users pick up their\ntokens, they are required to sign NARA Form 6032, Pick-up and Delivery Receipt, to indicate\nthey have received their token. This is a general equipment form and does not address the user\xe2\x80\x99s\nresponsibility or accountability for the device. The latest Federal Information System\nManagement Act (FISMA) reporting guidance 6 encourages the use of remote access user\nagreements and rules of behavior. These statements would require users to sign a statement\nacknowledging their awareness and acceptance of responsibility for security.\n\nOur audit work began in March 2010 and was completed in January 2011. Fieldwork was\nperformed at Archives II in College Park, Maryland. We conducted this performance audit in\naccordance with generally accepted government audit standards. These standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\n\n6\n OMB Memorandum, M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management\nAct and Agency Privacy Management.\n\x0cCurrently, we are not making any recommendations. However, we suggest NARA continue to\nmonitor the usage ofRSA tokens; terminate and collect tokens of former employees; disable lost\nor stolen tokens; and provide continual reminders of the risks and tactics of social engineering.\nAlso, we encourage NH to consider using acknowledgment statements for token holders to\naccept the responsibility for security and following all organizational policies for remote access.\n\nShould you have questions regarding this assignment, please contact me at 301-837-1532 or\nJames Springs, Assistant Inspector General for Audit at 301-837-3018 .\n\n\n\n\n             /'\n                      .7\n              /\nPaul Brachfeld\nInspector General\n\x0c"